From 9bcff28e5f39b996033a43760de3fc6a49681b6e Mon Sep 17 00:00:00 2001
From: Rahul <254529899+motsc@users.noreply.github.com>
Date: Mon, 22 Jun 2026 16:05:50 +0200
Subject: [PATCH] ci: pin GitHub Actions to commit SHAs

Replace mutable version tags (@v6, @v2, @v5) with the commit SHA each
tag currently resolves to, keeping the version as a trailing comment so
Dependabot can still propose bumps. Pinning the third-party action
(oven-sh/setup-bun) closes a supply-chain vector where a repointed tag
would execute in CI; the first-party actions/* are pinned for
consistency.

- actions/checkout   v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10
- oven-sh/setup-bun  v2 -> 0c5077e51419868618aeaa5fe8019c62421857d6
- actions/cache      v5 -> 27d5ce7f107fe9357f9df03efb73ab90386fccae
---
 .github/workflows/ci.yml           | 12 ++++++------
 .github/workflows/open-sync-pr.yml |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f793d38..223ec79 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,14 +26,14 @@ jobs:
       run:
         working-directory: api
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: 1.3.13
 
       - name: Cache Bun packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-codeapi-api-bun-1.3.13-${{ hashFiles('api/bun.lock') }}
@@ -75,14 +75,14 @@ jobs:
       run:
         working-directory: service
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: 1.3.13
 
       - name: Cache Bun packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-codeapi-service-bun-1.3.13-${{ hashFiles('service/bun.lock') }}
diff --git a/.github/workflows/open-sync-pr.yml b/.github/workflows/open-sync-pr.yml
index 42de35b..ed1c344 100644
--- a/.github/workflows/open-sync-pr.yml
+++ b/.github/workflows/open-sync-pr.yml
@@ -16,7 +16,7 @@ jobs:
   open-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Open PR from sync/main if none exists
         env: